ae5c8664e5
Reviewed-by: Tim Hudson <tjh@openssl.org>
106 lines
3.9 KiB
C
106 lines
3.9 KiB
C
/**********************************************************************
|
|
* keywrap.c *
|
|
* Copyright (c) 2005-2006 Cryptocom LTD *
|
|
* This file is distributed under the same license as OpenSSL *
|
|
* *
|
|
* Implementation of CryptoPro key wrap algorithm, as defined in *
|
|
* RFC 4357 p 6.3 and 6.4 *
|
|
* Doesn't need OpenSSL *
|
|
**********************************************************************/
|
|
#include <string.h>
|
|
#include "gost89.h"
|
|
#include "gost_keywrap.h"
|
|
|
|
/*-
|
|
* Diversifies key using random UserKey Material
|
|
* Implements RFC 4357 p 6.5 key diversification algorithm
|
|
*
|
|
* inputKey - 32byte key to be diversified
|
|
* ukm - 8byte user key material
|
|
* outputKey - 32byte buffer to store diversified key
|
|
*
|
|
*/
|
|
void keyDiversifyCryptoPro(gost_ctx * ctx, const unsigned char *inputKey,
|
|
const unsigned char *ukm, unsigned char *outputKey)
|
|
{
|
|
|
|
u4 k, s1, s2;
|
|
int i, j, mask;
|
|
unsigned char S[8];
|
|
memcpy(outputKey, inputKey, 32);
|
|
for (i = 0; i < 8; i++) {
|
|
/* Make array of integers from key */
|
|
/* Compute IV S */
|
|
s1 = 0, s2 = 0;
|
|
for (j = 0, mask = 1; j < 8; j++, mask <<= 1) {
|
|
k = ((u4) outputKey[4 * j]) | (outputKey[4 * j + 1] << 8) |
|
|
(outputKey[4 * j + 2] << 16) | (outputKey[4 * j + 3] << 24);
|
|
if (mask & ukm[i]) {
|
|
s1 += k;
|
|
} else {
|
|
s2 += k;
|
|
}
|
|
}
|
|
S[0] = (unsigned char)(s1 & 0xff);
|
|
S[1] = (unsigned char)((s1 >> 8) & 0xff);
|
|
S[2] = (unsigned char)((s1 >> 16) & 0xff);
|
|
S[3] = (unsigned char)((s1 >> 24) & 0xff);
|
|
S[4] = (unsigned char)(s2 & 0xff);
|
|
S[5] = (unsigned char)((s2 >> 8) & 0xff);
|
|
S[6] = (unsigned char)((s2 >> 16) & 0xff);
|
|
S[7] = (unsigned char)((s2 >> 24) & 0xff);
|
|
gost_key(ctx, outputKey);
|
|
gost_enc_cfb(ctx, S, outputKey, outputKey, 4);
|
|
}
|
|
}
|
|
|
|
/*-
|
|
* Wraps key using RFC 4357 6.3
|
|
* ctx - gost encryption context, initialized with some S-boxes
|
|
* keyExchangeKey (KEK) 32-byte (256-bit) shared key
|
|
* ukm - 8 byte (64 bit) user key material,
|
|
* sessionKey - 32-byte (256-bit) key to be wrapped
|
|
* wrappedKey - 44-byte buffer to store wrapped key
|
|
*/
|
|
|
|
int keyWrapCryptoPro(gost_ctx * ctx, const unsigned char *keyExchangeKey,
|
|
const unsigned char *ukm,
|
|
const unsigned char *sessionKey,
|
|
unsigned char *wrappedKey)
|
|
{
|
|
unsigned char kek_ukm[32];
|
|
keyDiversifyCryptoPro(ctx, keyExchangeKey, ukm, kek_ukm);
|
|
gost_key(ctx, kek_ukm);
|
|
memcpy(wrappedKey, ukm, 8);
|
|
gost_enc(ctx, sessionKey, wrappedKey + 8, 4);
|
|
gost_mac_iv(ctx, 32, ukm, sessionKey, 32, wrappedKey + 40);
|
|
return 1;
|
|
}
|
|
|
|
/*-
|
|
* Unwraps key using RFC 4357 6.4
|
|
* ctx - gost encryption context, initialized with some S-boxes
|
|
* keyExchangeKey 32-byte shared key
|
|
* wrappedKey 44 byte key to be unwrapped (concatenation of 8-byte UKM,
|
|
* 32 byte encrypted key and 4 byte MAC
|
|
*
|
|
* sessionKEy - 32byte buffer to store sessionKey in
|
|
* Returns 1 if key is decrypted successfully, and 0 if MAC doesn't match
|
|
*/
|
|
|
|
int keyUnwrapCryptoPro(gost_ctx * ctx, const unsigned char *keyExchangeKey,
|
|
const unsigned char *wrappedKey,
|
|
unsigned char *sessionKey)
|
|
{
|
|
unsigned char kek_ukm[32], cek_mac[4];
|
|
keyDiversifyCryptoPro(ctx, keyExchangeKey, wrappedKey
|
|
/* First 8 bytes of wrapped Key is ukm */
|
|
, kek_ukm);
|
|
gost_key(ctx, kek_ukm);
|
|
gost_dec(ctx, wrappedKey + 8, sessionKey, 4);
|
|
gost_mac_iv(ctx, 32, wrappedKey, sessionKey, 32, cek_mac);
|
|
if (memcmp(cek_mac, wrappedKey + 40, 4)) {
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|